Does anyone know of a one-stop guide to different group policies? I know there are way to many possibilities to list in one guide. All I am looking for is the most commonly used ones or perhaps ones that makes a sysadmin's life a little easier. I am not looking to over-complicate my network but I would not mind some improvements and I know there is so much that can be done via group policy but I don't have much experience in the area. Anyway I would like to hear what you guys use, beyond things like password policies which we already have set.

This person is a verified professional.

Somehow I managed to post this to the wrong thread earlier this morning:

Rather than attempt to upload a backup of the settings or a report of the settings, which is long and contains more info that I would want to share, here are some screenshots that should help.

Selected in the first screenshot is the setting for hiding a drive. Below that are the properties tabs. Use Item-level targeting to select which user groups this setting would apply to. Everyone who is not a member of the security group, DOMAIN\Domain Admins should be targeted. You can add additional criteria and specify ANDs and ORs as well as ISs and IS NOTs.

As you can see from the first screenshot, I have M: (hidden) and M: (shown). The second one applies to the admins.

You can probably still use a login script at the same time to map drives if you have problems where users do not get the mapping from the policy.

8 Replies

This person is a verified professional.

We have policies for mapping drives, hiding mapped drives, etc. without using login scripts. Other policies we use govern the use of general-use computers in production, where we lock down just about everything so that all they can do is access icons in a folder that pops up after they log in. Nothing in the start menu, no right-clicking, etc.

Citrix servers may need to have their own specific policy if you allow access to the desktop. You don't want people rebooting your server.

You can create policies to force a specific screensaver that may include company messages, images, written policy, etc.

You can set up MS Office policies that set default settings and other conditions to maintain a uniform setting for all, such as file save locations, etc.

You can set policy for Internet Explorer, Firefox, etc. to disable access to the browser's various properties, lock down a specific proxy server, etc.

These will get you started. The best advice I can give you is test with test users and then small subsets of users. Add GPOs for each change you want to make instead of editing the default domain policies.

This person is a verified professional.

We have policies for mapping drives, hiding mapped drives, etc. without using login scripts. Other policies we use govern the use of general-use computers in production, where we lock down just about everything so that all they can do is access icons in a folder that pops up after they log in. Nothing in the start menu, no right-clicking, etc.

Citrix servers may need to have their own specific policy if you allow access to the desktop. You don't want people rebooting your server.

You can create policies to force a specific screensaver that may include company messages, images, written policy, etc.

You can set up MS Office policies that set default settings and other conditions to maintain a uniform setting for all, such as file save locations, etc.

You can set policy for Internet Explorer, Firefox, etc. to disable access to the browser's various properties, lock down a specific proxy server, etc.

I can send settings if you want any of these, one Yoda to another.

Is there a benefit to using Group Policy rather than a login script for mapping drives. I have always done this through login script but never through a GPO. The policy for the screen saver could be interesting although I do not know how my users would take to it, lol. Things like that I am not so concerned with. Certainly implementing a GPO to ensure a users desktop will lock after a period of inactivity could be useful as we do not have anything like that in place now and often I find users leave there desktops logged in. I am unsure of the exact settings of where to set this though and I am trying to save myself the aggravation of trying to find it.

This person is a verified professional.

I have found that through Group Policy, it does not always work. Something may be screwed up on my network to cause this, as the problem only affected users on a specific switch - their drives were missing.

Our MRP system, Fourth Shift, is installed on the M: drive of the server. Al users must map to this drive as their M: drive. Problem is that the users must also have read/write access to many critical areas of that drive and the last thing I need is for them to directly access and change anything there. So, I use group policy to map and hide the drive. The client software still access the M: drive and does what it needs to do. The user just does not see the drive. One interesting thing was that I could remove/add/hide drives based on what user groups a user belonged to. One policy setting for each user group, one policy to rule them all.

There are a number of things to take a look at in the same area as the drive mapping.

This person is a verified professional.

I have found that through Group Policy, it does not always work. Something may be screwed up on my network to cause this, as the problem only affected users on a specific switch - their drives were missing.

Our MRP system, Fourth Shift, is installed on the M: drive of the server. Al users must map to this drive as their M: drive. Problem is that the users must also have read/write access to many critical areas of that drive and the last thing I need is for them to directly access and change anything there. So, I use group policy to map and hide the drive. The client software still access the M: drive and does what it needs to do. The user just does not see the drive. One interesting thing was that I could remove/add/hide drives based on what user groups a user belonged to. One policy setting for each user group, one policy to rule them all.

There are a number of things to take a look at in the same area as the drive mapping.

It would be real interesting in see the setting to set this as it terrifies me a little that in order for my users to access our Peachtree database they have to be mapped to the share that contains the database and have read/write access as well. I worry everyday that someone is going to delete something and the poof we're screwed. It would be cool if that share could be hidden though.

1st Post

For just about every setting that a user could configure on their machine there's a Group Policy to configure that setting for them. Includeing settings so that they can't change them. These settings can me made so that they deploy to the whole domain or to a specific group of machines or users. For example, we have a web based user portal which provides quick and easy access to just about every application in our network so we have the users default homepage set to that site. We certainly don't like having users desktops unlocked while they're away so all workstation lockdown after 5 minuets of inactivity. You can even configure a machine so that it does nothing more than provide a web session or run a specific application for things like customer facing kiosks or workstations that are shared by multiple users. VPN connections, desktop icons, software, security. The list goes on and on. All that to say there's no right or wrong setup. There are some best practices you can follow but other than that you really have to evaluate each setting in GP and make a determination as to your specific needs.

This person is a verified professional.

Somehow I managed to post this to the wrong thread earlier this morning:

Rather than attempt to upload a backup of the settings or a report of the settings, which is long and contains more info that I would want to share, here are some screenshots that should help.

Selected in the first screenshot is the setting for hiding a drive. Below that are the properties tabs. Use Item-level targeting to select which user groups this setting would apply to. Everyone who is not a member of the security group, DOMAIN\Domain Admins should be targeted. You can add additional criteria and specify ANDs and ORs as well as ISs and IS NOTs.

As you can see from the first screenshot, I have M: (hidden) and M: (shown). The second one applies to the admins.

You can probably still use a login script at the same time to map drives if you have problems where users do not get the mapping from the policy.

0

This topic has been locked by an administrator and is no longer open for commenting.